Wednesday, July 13, 2011

http://arstechnica.com/apple/guides/2011/07/making-a-clean-start-with-lion-migrating-without-assistance.ars?utm_source=rss&utm_medium=rss&utm_campaign=rss

Friday, June 3, 2011

ActiveDirectoryWinbindHowto

http://wiki.samba.org/index.php/Samba_%26_Active_Directory
https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto

Thursday, May 26, 2011

Thursday, April 7, 2011

import json

class Subscriber(object):
firstname
= None
lastname
= None


class Post(object):
author
= None
title
= None


def decode_from_dict(cls,vals):
obj
= cls()
for key, val in vals.items():
setattr
(obj, key, val)
return obj


SERIALIZABLE_CLASSES
= {'Subscriber': Subscriber,
'Post': Post}

def decode_object(d):
for field in d:
if field in SERIALIZABLE_CLASSES:
cls
= SERIALIZABLE_CLASSES[field]
return decode_from_dict(cls, d[field])
return d


results
= '''[{"Subscriber": {"firstname": "Neal", "lastname": "Walters"}},
{"Post": {"author": {"Subscriber": {"firstname": "Neal",
"lastname": "Walters"}}},
"title": "Decoding JSON Objects"}]'''

Thursday, March 17, 2011

How do I reset the ReadyNAS to factory default?
Resetting the ReadyNAS back to factory default will wipe out all configuration and data. Please understand this before continuing. If you choose to continue, here are the steps:
  1. Power down the ReadyNAS.
  2. Locate the reset pinhole.
    1. ReadyNAS 600/X6: the pinhole is on the back in the lower left corner.
    2. ReadyNAS 1000S/1100: the pinhole is in the front.
    3. ReadyNAS NV/NV+/Duo: the pinhole is next to the USB port in the back.
  3. Get a straightened paper clip and depress the hidden switch in the pinhole while the power is off, and then power on the ReadyNAS, keeping the switch depressed for about 30 secs.
  4. You will see the drive LEDs in the front blink once at about 5 secs and again at about 30 secs. Release the switch at the 2nd blink.

  5. There will be a 10-minute window where you can use RAIDar to change the RAID mode and/or select the snapshot reserved space. RAIDar will prompt with "Click Setup". If you do not click Setup, the installation will begin with the default settings. Otherwise, it will begin when you've confirmed your option selection in RAIDar. You can monitor the installation progress with RAIDar.

Monday, March 14, 2011

Wednesday, March 2, 2011

Chapter 38. The Samba Checklist

Chapter 38. The Samba Checklist: "Chapter 38. The Samba Checklist

- Sent using Google Toolbar"

Tuesday, March 1, 2011

Ubuntu Bloke: HOWTO: SAMBA + LDAP on 10.04 Lucid

Ubuntu Bloke: HOWTO: SAMBA + LDAP on 10.04 Lucid: "- Sent using Google Toolbar"

Looks like the blog this was on is no longer available so I'm putting the contents here.

Wow, it has taken me weeks to get this to the point that it seems to be working. The official documentation is horribly broken, but I have finally got what i think is a working solution. I will probably need to tweak this guide as time goes on (see the end of the post for revision history)

PLATFORM:
* Ubuntu Server 10.04 LTS (Lucid)

PREREQUISITES:
* A standard vanilla Ubuntu 10.04 server install.
* An NFS server exporting the users home directorys

Network overview;
* domain name: tuxnetworks.com
* ldap-server 10.1.1.5

Install The Packages

We want to install the OpenLDAP server daemon slapd and ldap-utils, a package containing LDAP management utilities. While we are at it we will also install samba related packages:

sudo apt-get install slapd ldap-utils samba samba-doc libpam-smbpass smbclient smbldap-tools
Notes:
By default slapd is configured with minimal options needed to run the slapd daemon.

The configuration tuxnetworks in the following sections will match the domain name of the server. For tuxnetworks, if the machine's Fully Qualified Domain Name (FQDN) is ldap.tuxnetworks.com, the default suffix will be dc=tuxnetworks,dc=com.

Populating the server
Notes:
OpenLDAP uses a separate directory which contains the cn=config Directory Information Tree (DIT). The cn=config DIT is used to dynamically configure the slapd daemon, allowing the modification of schema definitions, indexes, ACLs, etc without stopping the service.

The backend cn=config directory has only a minimal configuration and will need additional configuration options in order to populate the frontend directory. The frontend will be populated with a "classical" scheme that will be compatible with address book applications and with Unix Posix accounts. Posix accounts will allow authentication to various applications, such as web applications, email Mail Transfer Agent (MTA) applications, etc.

* For external applications to authenticate using LDAP they will each need to be specifically configured to do so. Refer to the individual application documentation for details.

* Remember to change dc=tuxnetworks,dc=com in the following examples to match your LDAP configuration.

First, some additional schema files need to be loaded. In a terminal enter:

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif


Next, create an LDIF file

vi ~/backend.ldif

With the following contents;

# Load dynamic backend modules
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/ldap
olcModuleload: back_hdb

# Database settings
dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcSuffix: dc=tuxnetworks,dc=com
olcDbDirectory: /var/lib/ldap
olcRootDN: cn=admin,dc=tuxnetworks,dc=com
olcRootPW: mypassword
olcDbConfig: set_cachesize 0 2097152 0
olcDbConfig: set_lk_max_objects 1500
olcDbConfig: set_lk_max_locks 1500
olcDbConfig: set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcAccess: to attrs=userPassword by dn="cn=admin,dc=tuxnetworks,dc=com" write by anonymous auth by self write by * none
olcAccess: to attrs=shadowLastChange by self write by * read
olcAccess: to dn.base="" by * read
olcAccess: to * by dn="cn=admin,dc=tuxnetworks,dc=com" write by * read

* Don't forget to change dc=tuxnetworks,dc=com and olcrootPW to suit your own domain details.

Now add the LDIF to the directory:

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f backend.ldif

Download this samba config file;

wget http://www.tuxnetworks.com/configs/smb.conf

Edit it to suit your network and then copy the new smb.conf file into place;

sudo cp smb.conf /etc/samba/

Samba needs us to tell it the LDAP admin password

sudo smbpasswd -W

And finally, we restart samba;

sudo service smbd restart

You can test that samba works by using the samba-client (when it asks for roots password just press Enter);

sudo smbclient -L localhost

You should see something like this;

operator@callisto:~$ sudo smbclient -L localhost
Enter root's password:
Anonymous login successful
Domain=[SAMBA] OS=[Unix] Server=[Samba 3.4.7]

Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers Share
shared Disk
archive Disk
IPC$ IPC IPC Service (Samba 3.4.7)
Anonymous login successful
Domain=[SAMBA] OS=[Unix] Server=[Samba 3.4.7]

Server Comment
--------- -------
CALLISTO Samba 3.4.7

Workgroup Master
--------- -------
SAMBA CALLISTO


Our samba users require profile and netlogon directories, let's create them now;

sudo mkdir -v -m 777 /var/lib/samba/profiles
sudo mkdir -v -p -m 777 /var/lib/samba/netlogon


Next we must add the samba schemas to the LDAP server. These schemas are part of the samba-doc package that we installed earlier.

sudo cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz /etc/ldap/schema/
sudo gzip -d /etc/ldap/schema/samba.schema.gz


These schemas must be converted to the "ldif" format before we can use them.

Create a file called schema_convert.conf

vi ~/schema_convert.conf

and paste in the following lines;

include /etc/ldap/schema/core.schema
include /etc/ldap/schema/collective.schema
include /etc/ldap/schema/corba.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/duaconf.schema
include /etc/ldap/schema/dyngroup.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/java.schema
include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/openldap.schema
include /etc/ldap/schema/ppolicy.schema
include /etc/ldap/schema/samba.schema


Next, use slapcat to convert the schemas;

slapcat -f ~/schema_convert.conf -F ~ -n0 -s "cn={12}samba,cn=schema,cn=config" > ~/cn=samba.ldif

slapcat will generate a file "~/cn\=samba.ldif". Edit this file;

vi ~/cn\=samba.ldif

and change the following attributes:

dn: cn={12}samba,cn=schema,cn=config
...
cn: {12}samba


to

dn: cn=samba,cn=schema,cn=config
...
cn: samba


Also, remove all these lines at the bottom of the file.

structuralObjectClass: olcSchemaConfig
entryUUID: 99e797a8-07cb-102f-8c5c-739a8467e607
creatorsName: cn=config
createTimestamp: 20100609043122Z
entryCSN: 20100609043122.188753Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20100609043122Z


Add the schema to the server;

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f ~/cn\=samba.ldif

This should return the following lines with no errors.

adding new entry "cn=samba,cn=schema,cn=config"

Let's check how things are going with the following query;

sudo ldapsearch -Y EXTERNAL -H ldapi:/// -D cn=admin,cn=config -b cn=config -W olcDatabase={1}hdb

You should see a metric shedload of output with this at the end;

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


If you see output like above then your LDAP server is working, but we still need to finish configuring samba.

Unpack the samba-ldap-tools (we downloaded this earlier)

sudo gzip -d /usr/share/doc/smbldap-tools/configure.pl.gz

Now we are going to execute a perl script which will set up samba for us. For almost every prompt you should just press Enter. There are a few of exceptions however.
When asked for "logon home" and "logon path" enter a "." (fullstop) and nothing else. When asked for a password (ldap master/slave bind password) use the password for the "admin" account that you entered earlier. Remember, leave the default value for everything else!

Run the script;

sudo perl /usr/share/doc/smbldap-tools/configure.pl

Now that the script has created our configuration, we can use it to populate the server;

sudo smbldap-populate

The final touches;

sudo /etc/init.d/slapd stop
sudo slapindex
sudo chown openldap:openldap /var/lib/ldap/*
sudo /etc/init.d/slapd start


Make "root" the domain adminstrator;

sudo smbldap-groupmod -m 'root' 'Administrators'

If this returns adding user root to group Administrators with no errors then you are looking good!

Now, we need to allow clients to authenticate via LDAP. To do this we need to install a package.

sudo apt-get --yes install ldap-auth-client

We also need to tell PAM and the Name Service Switch service to use LDAP for auth;

sudo auth-client-config -t nss -p lac_ldap
sudo pam-auth-update ldap


If all has gone well, you should now be able to add a user to the database;

sudo smbldap-useradd -a -m -P brettg

You can check your new user by issuing this command;

ldapsearch -xLLL -b "dc=tuxnetworks,dc=com" uid=brettg

Next, you should go ahead and install phpLDAPadmin or configure a client

Revisions:
13/7/2010- Karan Pratap Singh pointed me to another howto which does some things in a better way than mine did. I have merged the parts that I like into my document (see comments)

Monday, February 28, 2011

VMware Communities: Troubleshooting Performance Related Problems in vSphere 4.1 Environments

VMware Communities: Troubleshooting Performance Related Problems in vSphere 4.1 Environments: "Troubleshooting Performance Related Problems in vSphere 4.1 Environments

The troubleshooting guide for vSphere 4.0 can be found at: http://communities.vmware.com/docs/DOC-10352


- Sent using Google Toolbar"

[ubuntu] Where is add-apt-repository? - Ubuntu Forums

[ubuntu] Where is add-apt-repository? - Ubuntu Forums: "Where is add-apt-repository?


Interesting...try this:
Code:
sudo apt-get install --reinstall python-software-properties && sudo dpkg-reconfigure python-software-properties

- Sent using Google Toolbar"

VMware KB: Installing VMware Converter 4.2 fails with the error: Error 29454 Setup failed to register VMware vCenter Converter extension

VMware KB: Installing VMware Converter 4.2 fails with the error: Error 29454 Setup failed to register VMware vCenter Converter extension: "Installing VMware Converter 4.2 fails with the error: Error 29454 Setup failed to register VMware vCenter Converter extension

- Sent using Google Toolbar"

Friday, February 25, 2011

How to: Attach a Database (SQL Server Management Studio)

How to: Attach a Database (SQL Server Management Studio)

Attaching a database places it in exactly the same state that it was in when it was detached.

This topic contains the following sections:

File access permissions are set during a number of database operations, including detaching or attaching a database. For information about file permissions that are set whenever a database is detached and attached, see Securing Data and Log Files.

We recommend that you do not attach or restore databases from unknown or untrusted sources. Such databases could contain malicious code that might execute unintended Transact-SQL code or cause errors by modifying the schema or the physical database structure. Before you use a database from an unknown or untrusted source, run DBCC CHECKDB on the database on a nonproduction server and also examine the code, such as stored procedures or other user-defined code, in the database.

Important note Important

For more information about attaching databases and information about changes that are made to metadata when you attach a database, see Detaching and Attaching Databases.

For information about the permissions required for attaching a database, see CREATE DATABASE (Transact-SQL).

[Top]

To attach a database

  1. In SQL Server Management Studio Object Explorer, connect to an instance of the Microsoft SQL Server Database Engine, and then expand that instance.

  2. Right-click Databases and click Attach.

  3. In the Attach Databases dialog box, to specify the database to be attached, click Add; and in the Locate Database Files dialog box, select the disk drive where the database resides and expand the directory tree to find and select the .mdf file of the database; for example:

    C:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\AdventureWorks2008R2_Data.mdf

    Important note Important

    Trying to select a database that is already attached generates an error.

  4. Optionally, to specify a different name for the database to attach as, enter the name in the Attach as column of the Attach Databases dialog box.

  5. Optionally, change the owner of the database by selecting a different entry in the Owner column.

  6. When you are ready to attach the database, click OK.

    Note Note

    A newly attached database is not displayed in the Databases node of Object Explorer until the view is refreshed. To refresh the view at any time, click in Object Explorer, and then click Refresh on the View menu.


How to: Attach a Database (SQL Server Management Studio): "- Sent using Google Toolbar"

How to: Detach a Database (SQL Server Management Studio)

To detach a database

  1. In SQL Server Management Studio Object Explorer, connect to the instance of the SQL Server Database Engine and then expand the instance.

  2. Expand Databases, and select the name of the user database you want to detach.

  3. Detaching a database requires exclusive access to the database. If the database is in use, restrict access to a single user:

    • Right-click the database name and point to Properties.

    • In the Select a page pane, select Options.

    • In the Other options pane, scroll down to the State options.

    • Select the Restrict Access option, and in its drop-down list, select Single.

    • Click OK.

      A message box appears to inform you that this action will close all connections to the database. To proceed, click OK.

  4. Right-click the database name, point to Tasks, and then click Detach. The Detach Database dialog box appears.

  5. The Databases to detach grid displays the name of the selected database in the Database Name column. Verify that this is the database you want to detach.

  6. By default, the detach operation retains any out-of-date optimization statistics when detaching the database; to update the existing optimization statistics, click the Update Statistics check box.

  7. By default, the detach operation keeps any full-text catalogs that are associated with the database. To remove them, clear the Keep Full-Text Catalogs check box.

  8. The Status column displays the current database state (either Ready or Not Ready).

    If the status is Not Ready, the Message column displays hyperlinked information about the database. When a database is involved with replication, the Message column displays Database replicated. When a database has one or more active connections, the Message column displays Active connections; for example, 1 Active connection(s). Before you can detach the database, you must disconnect any active connections by selecting the Drop Connections check box.

    To obtain more information about a message, click the hyperlink.

  9. When you are ready to detach the database, click OK.


How to: Detach a Database (SQL Server Management Studio): "- Sent using Google Toolbar"

Wednesday, February 23, 2011

vmware vcenter converter how to start it - Virtualization Team

Where can I find vmware vCenter converter in VMware vCenter 4?

Unfortunately, unlike most other VMware feature the VMware vCenter Converter does not have any obvious shortcut in vCenter. To start vCenter converter in Virtual Center you will need to follow the below steps:

  1. Make sure you are in host & clusters view.
  2. Choose one of your hosts or clusters in vCenter
  3. From the top drop down menu choose one of the following paths depend on if you have chosen a host or cluster in step 2.

Inventory ==> Host ==> Import Machine

Inventory ==> Cluster ==> Import Machine

The image below demonstrate the above steps:

vmware vcenter convertor how to start it


vmware vcenter converter how to start it - Virtualization Team: "- Sent using Google Toolbar"

Friday, February 18, 2011

how to chroot, simple and fast [Archive] - Ubuntu Forums

Pick up a liveCD, version doesn't matter, you could use any distro, as long as it ables you to enter to console.


# means run with root or sudo

1. Create a mountpoint
# mkdir /mount/point

2. Mount /proc /sys /dev to chroot
# mount -o bind /proc /mount/point/proc
# mount -o bind /dev /mount/point/dev
# mount -o bind /dev/pts /mount/point/dev/pts
# mount -o bind /sys /mount/point/sys

3. Copy resolv.conf to networking
# cp /etc/resolv.conf /mount/point/etc/resolv.conf

4.Open bash in chroot
# chroot /mount/point /bin/bash

5. Do what you have to do and then exit chroot
exit

there may be more elegant way of achieving this, but this one has stuck to me.

Hope this helps someone, this is probably posted on multiple sites, but what the heck, now no need to search around ;)

how to chroot, simple and fast [Archive] - Ubuntu Forums: "- Sent using Google Toolbar"

Wednesday, February 16, 2011

» Proxy Auto-Detect (IE and Firefox) -> Pavlov Scope

» Proxy Auto-Detect (IE and Firefox) -> Pavlov Scope: "- Sent using Google Toolbar"

Recently, my organization had the need to provide web proxy service to internal users, while not clobbering hotel, home, remote office, coffee shoppe, etc. type access while users were roaming outside of our divisions’ walls. The purpose is to apply content filtering rules to outbound Web traffic based on our organization’s security policy (i.e. no external webmail, personal web storage sites, etc.). I did some research and testing on this side and have come up with a solution that seems to work well across the board for our clients.

Using Internet Explorer’s capability to Automatically detect proxy server settings, IE uses the proxy when the proxy server is reachable, and connects directly when it is not. I have tested this with success (after a lot of initial troubles and debugging ;-)

The components involved in the proposed and tested solution:

  • Proxy Auto-configuration file (PAC)

  • Web Proxy Automatic Discovery (WPAD)

  • Related DHCP and DNS settings

  • Internal Web server

  • Group Policies in Active Directory (GPO)

PAC file:

The first step is to configure the Proxy Auto-configuration file (or PAC for short). This is a JavaScript-like file that has a set of predetermined variables and functions for use in making decisions defining the browser’s behavior at runtime. See below for references.

This file can be hard coded in the browser, or preferably delivered using WPAD (see next).

I have built the following sample file using the PAC spec standards which tests for exception sites first (should be accessed directly by the browser) – things like internal sites, private addresses, etc.

Then, the file will test against the client’s IP address (to determine network location). If the IP address is within our internal subnet ranges , it sets the proxy server(s) to use.

The file ends with an else statement that catches all other conditions and sets the browser to use direct access (for when the computer is located outside corporate-controlled facilities).

I have successfully tested this file format with both IE and Firefox. It is provided below as an example for you to utilize, but I make no warranties or claims of fitness-to-purpose. There are many additional testing conditions that might be more relevant to another environment or set of business policies (e.g. Time-of-day, day-of-week, DNS information, etc.).

Sample file:

function FindProxyForURL(url, host)
{
if (
isInNet(host, "10.0.0.0", "255.0.0.0") ||
isInNet(host, "172.16.0.0", "255.240.0.0") ||
isInNet(host, "192.168.0.0", "255.255.0.0") ||
isPlainHostName(host) ||
localHostOrDomainIs(host, "127.0.0.1") ||
dnsDomainIs(host, ".company.local")
)

return "DIRECT";

else if (
isInNet(myIpAddress(), "10.1.0.0", "255.255.0.0") ||
isInNet(myIpAddress(), "10.2.0.0", "255.255.0.0") ||
isInNet(myIpAddress(), "10.3.0.0", "255.255.0.0") ||
isInNet(myIpAddress(), "10.4.0.0", "255.255.0.0") ||
isInNet(myIpAddress(), "10.7.0.0", "255.255.0.0") ||
isInNet(myIpAddress(), "10.9.0.0", "255.255.0.0") ||
isInNet(myIpAddress(), "10.10.0.0", "255.255.0.0") ||
isInNet(myIpAddress(), "169.254.0.0", "255.255.0.0") ||
isInNet(myIpAddress(), "172.16.199.0", "255.255.255.0")
)

return "PROXY prx0.us.company.local:8080;" +
"PROXY prx1.us.company.local:8080";

else return "DIRECT";
}

Note: Thanks to Jay Kulsh for pointing out RFC1918 compliance in above network tests.

WPAD

Second came the challenge of getting the clients to use that file without hard-setting it (hardcoding almost always an undesirable option if it can be avoided). The mechanism used for this is WPAD, which allows the browser to "discover" where the above configuration file is stored, allowing it to then dynamically pull it down and apply the function code therein during operation. There are several mechanisms available to WPAD, but they center on DHCP and DNS. I have opted to implement both the required elements of the standard (DHCP option and DNS "well known alias" methods), and have left alone the optional requirements as they are redundant for my purposes and remain unused if the required elements exist – if the required elements are unavailable (in my environment), it would be equivalent to a network outage at which point we have bigger problems to solve than WPAD not functioning.

The first step to configure WPAD is to put the PAC file onto a web server for all users to access. Depending on the web server platform and version chosen to host the file, this might require defining additional MIME types to allow the server to properly serve the file (see standard). As a reference point, Win2K’s IIS server generally hosts whatever files you make available, whereas Win2K3 (2003 Server) IIS requires the additional MIME definitions – otherwise you will receive 403 errors, and the browser will transparently fail to pickup the PAC file without displaying an error message (by design).

The recommendation is to place the PAC file on the same server that hosts the proxy. The rationale is that if it is unavailable, implicitly so is the proxy and as such, should not be utilized. However, one might opt to locate the PAC file on a neutral / different server (independent of the proxy) to allow for more robust proxy fail-over (since the PAC standard allows for multiple proxies to be defined for fail-over).

DHCP: The second step is to configure a custom vendor option on the DHCP server. The reserved vendor option for WPAD is 252, and must be created on the DHCP Server config first. Then you can configure scopes (either via a server-wide setting or per-scope setting, relevant to your environment, with the proper URL string which tells the browser where to get the PAC file. However, the DHCP piece is not fully functional for PAC file location until the AutoDetect option is enabled in the web browser. In Firefox, this is the "auto-detect proxy" setting under Tools-Options-Connections – In IE, one can deploy the setting via GPO (see below). The value of the 252 WPAD option is the full URL to the PAC file, including FQDN of the web server (e.g. http://websrv.us.company.local/wpad.dat). This is the first component tried by WPAD for PAC file location, and is a required component of the standard.

DNS: The third configuration change I made was to place a DNS entry (can be an A or CNAME record) which includes a "well-known alias" for the service discovery – in my case – "wpad" without the quotes, which points to the proxy server. I opted for a CNAME record to alias the proxy itself since that is where my PAC file was located and maintaining multiple autonomous A records for the same host is problematic in this case.

The DNS option appears to be the one favored by Firefox, although secondary by IE based on my test results, so I implemented both to cover both browsers more effectively. (Note: In my corporate environment, the Proxy server in use uses proprietary auth mechanisms that Opera does not support, thereby preventing Opera from functioning with my organization’s proxy. This is why no mention of the Opera browser in this Windows-centric platform discussion).

GPO

The setting to have IE use Auto Detection for its Proxy settings is configured in the same place in Group Policy as if one was hard-coding the proxy (Internet Explorer Maintenance) – it is just a different option. This affects only IE at this time, since Firefox is not natively GPO-aware (author note: Efforts are underway to allow Firefox GPO administration, but not covered here – will cover in an upcoming entry) .

In the Internet Explorer Maintenance area:



User Configuration – Windows Settings – Internet Explorer Maintenance

"Automatically detect configuration settings"- Enabled

"Automatic Browser Configuration" – Not configured



This sets IE to use WPAD to discover the PAC file.

Additionally, in the Computer Configuration area, the following settings should be changed to maintain consistency and compliance of the browser’s settings:



Computer Configuration – Administrative Templates – System/Group Policy

"Internet Explorer Maintenance policy processing" – Enabled

"Allow processing across a slow network connection" – Enabled

"Do not apply during periodic background processing"- Disabled

"Process even if the Group Policy objects have not changed"- Enabled



These computer-level GPO settings set and renew the settings continually, even across slow connections, so that if a user has tampered with the IE proxy settings, they will be changed back (although I know this has worked with other configs, I have not had the time to fully test – i.e. tried to break – this setting yet, so I’m not certain how effective it is in overriding, for example, a proxy the user has defined themselves. Obviously, the best practice would be to hide the Connections tab (and perhaps other areas) from the UI to prevent tampering. Additionally, users should not have Admin rights to their machine if an effective policy is to be maintained with any consistency.

Firefox

The methods described in the above sections, when implemented together, support both IE and Firefox. The main hurdle is centrally deploying the Auto-Detect setting to both browser platforms consistently. Additionally, unrelated, anyone using Firefox should upgrade to 1.5.0.1 if they have not already, for security reasons.

Although many organizations do not officially advocate the use of Firefox (since there are still some management/administration hurdles for corporate deployment), I felt that it was important to find a workable solution that fit for both browsers since use of Firefox has become much more prevalent in the past year. Some organizations might choose to limit the use of Firefox altogether for other reasons (such as application standards, etc.), but I wanted to make the solution as browser-agnostic (cross platform) as possible.

I found that Firefox had some unexpected (by me) behavior in the way that it searched for the PAC file. Specifically, the Auto-Discover mechanism seems to always query the configured web server for the filename wpad.dat (instead of proxy.pac as I originally had the 252 DHCP WPAD option configured). IE obeyed my configuration, but Firefox insisted otherwise. Workaround, and the standard generally used by Windows shops anyway, was to make the name the file wpad.dat, update the 252 option accordingly, and then both browsers could automatically discover the file appropriately.

Also, on an unrelated note, I have had some odd, almost random, occurrences of Firefox interoperability problems with the Computer Associates (CA) SCM (Secure Content Manager) Proxy service. In some cases, the user is prompted for an ID, when – in fact – this authentication should be transparent (based on internal domain ID). The same behavior is not exhibited in IE thusfar.

Further research and "development watching" I am taking from this include the emerging capability for Firefox to be administered via GPO as well as an initiative inside the Firefox open-source development community to support MSI installers for corporate deployment and easy updates (that is, from the Mozilla side). There are third parties that have made great gains in both GPO and MSI for Firefox, but as I stated – that is something I’ll get into in an upcoming post.

Conclusion

From the testing I have done so far, both browsers appear to behave as expected once AutoDetection is setup as above. If the PAC file is not reachable using the "AutoDetect" WPAD mechanism, both browsers automatically default to direct, which gets around the issue of hard-coded proxy settings in hotels, WiFi hotspots, etc. Additionally, once the user connects to the VPN, they receive an internal IP address which matches on the PAC rules, and WPAD finds the PAC file to utilize (via the DNS mechanism of WPAD) and begins using the proxy for connections to the Web – thereby applying our corporate policies.

This system of configurations represents a "best effort" to provide technical compliance with our corporate policies with regard to web content filtering. There still exist some unavoidable loopholes, but those should be addressed through policy education to the user community (i.e. they are not allowed to browse the web in remote locations – home, hotel, airport, coffeeshoppes, etc. – without first connecting to the VPN). Adherence to that policy can be assured with monitoring, logging, and other tools.

References

For more technical information about the PAC and WPAD components of this proposed solution, please reference the following links:

PAC – This file’s format (along with some samples) is described here: http://wp.netscape.com/eng/mozilla/2.0/relnotes/demo/proxy-live.html

WPADIETF spec for Web Proxy Automatic Discovery – http://www.wrec.org/Drafts/draft-cooper-webi-wpad-00.txt

I hope this was helpful or informative to some of you out there! Good luck and if you have any questions or comments, please use the comment area or email me directly.

Tuesday, February 15, 2011

log_file_analysis | DansGuardian Documentation Wiki

If you nevertheless find it necessary to analyze the Squid stub logs, the first issue that will occupy your attention will probably be that everything in the Squid log appears to originate from the same address, 127.0.0.1 (“localhost” or “loopback”). This makes sense as in this environment all requests to Squid come from DansGuardian. You may desire to instead have the Squid logs point at the “real” originating IP rather than at DansGuardian.

To do this, you'll need to both 1) have DansGuardian forward the information to Squid (which would otherwise not even have the information and so of course not be able to display it), and 2) have Squid include the information in its logs.

To make 1) happen, set forwardedfor = on in dansguardian.conf. This will cause DansGuardian to add an X-Forwarded-For: header containing the IP address of the real originator to every web request it passes to Squid.

To make 2) happen is different for different releases of Squid, and will usually (but not always) happen by default. For Squid 2.5 and before, you must apply a source code patch and rebuild Squid. The source code patch is available on the DansGuardian website by clicking on “Extras and Add-Ons” and under the “3rd Party plugins and patches for squid” heading fetching “Patch for squid that makes it log the X-Forwarded-For IP”. For Squid 2.6 and 2.7, set log_uses_indirect_client on (which in turn requires something like follow_x_forwarded_for allow localhost) in squid.conf. (This is the default Squid configuration, so it may work without explicit settings.) For Squid 3.0, set forwarded_for on in squid.conf. (This is the default Squid configuration, so it may work without explicit settings.)

Note that as a side effect of these settings, in many cases Squid will send the X-Forwarded-For: header on to the actual website, thus exposing some of your internal IP addresses and possibly allowing websites to disentangle individual users. (You can prevent this in Squid 3.1 and later by specifying forwarded_for delete.) You may or may not decide that having the “real” origin IP address in the Squid logs is so important that it overrides any possible security and privacy concerns.



log_file_analysis | DansGuardian Documentation Wiki: "- Sent using Google Toolbar"

Sunday, January 30, 2011

Obtaining Your pbuilder Build Environment

Obtaining Your pbuilder Build Environment: "Archive: stable Component: main Origin: pbuilder Label: pbuilder Architecture: i386

- Sent using Google Toolbar"

Wednesday, January 12, 2011

Tuesday, January 4, 2011

Cut or copy lines without counting the lines - Vim Tips Wiki

Cut or copy lines without counting the lines - Vim Tips Wiki: "If you ever need to cut/copy/delete/paste lines without knowing the actual number of lines, here is what you should do.

1. In normal mode, go to the beginning of the section that you want to yank.
2. Type mk to mark this spot as k.
3. Go to the end of the section you want to yank using whatever movement commands you like.
4. Type: y'k (, , k) To yank from the mark to the current location.
5. You can paste those lines wherever you want with p

Similarly, d'k will cut/delte the lines from the current location to the mark.

- Sent using Google Toolbar"

Failover with ISC DHCP

Failover with ISC DHCP: "failover peer 'dhcp-failover';

- Sent using Google Toolbar"

IBM Cluster information center

IBM Cluster information center: "- Sent using Google Toolbar"

Setting up Linux DHCP server failover